Policy File Evaluation Order

book

Article ID: 166764

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

You want to know the order in which ProxySG policy is applied to user requests and if necessary, change the order.

Resolution

The order in which the ProxySG appliance evaluates policy rules is important. Changes to the evaluation order might result in less effective policy, as the order of policy evaluation defines general rules and exceptions. While this order is configurable, the default and recommended order is:

  1. Common Policy (if the appliance is subscribed to the ThreatPulse Auto Policy Synchronization feature-SGOS 6.4 and later)
  2. Visual Policy Manager (VPM) 
  3. Local Policy
  4. Central Policy
  5. Forward Policy

This prevents policies in the Central file that block virus signatures from getting inadvertently overridden by Allow (access-granting) policy rules in the VPM and Local files.

When changing the policy file evaluation order, remember that final decisions can differ because decisions from files later in the order can override decisions from earlier files.

  • For a new ProxySG appliance, the default evaluation order is: VPM, Local, Central, and Forward.
  • For an upgraded ProxySG, the policy evaluation order is the order already existing on the appliance before the upgrade.


To change policy order, perform the following steps in the Management Console:

1. Select Configuration > Policy > Policy Options.
2. To change the order, select the file to move and click Move Up or Move Down.

  • Remember, the last file in the list overwrites decisions in files evaluated earlier.